Provider organizations that send protected health information (PHI) by text message or Gmail are violating HIPAA and could be fined by HHS. The HHS Office of Civil Rights (OCR) has been stepping up HIPAA enforcement, and in the last month, a hospice and a small medical office have received fines.

This warning came in a EMRApproved.com webinar featuring Mike Semel, a HIPAA compliance consultant .

According to Semel, president of Semel Consulting, provider organizations are also facing HIPAA scrutiny as a result of new HHS audits of Meaningful Use compliance. “A HIPAA risk analysis is part of Meaningful Use attestation. When HHS conducts a Meaningful Use audit, they will check an organization’s HIPAA compliance,” Semel said.

Semel said that sending e-mail via a certified EHR is proper. He said no web mail service (e.g. Gmail, Hotmail, Yahoo) is encrypted and secure. Sending patient information via text messages is an “increasingly common” HIPAA violation since many physicians and nurses are sending medical communications on their cell phones.

Semel said no specific standards have been published by HHS regarding HIPAA risk analysis. However, providers should review NIST (National Institute of Standards Testing) Publication 800-30 for a playbook of compliance practices. “If you follow the NIST standards, you will pass an HHS audit,” Semel said.

Semel said it is unclear how HHS is selecting organizations for Meaningful Use audits, but reports indicate that organizations with prior issues with Medicare or Medicaid payments may be targeted.

Another problem is that provider organizations may not have obtained required business associate agreements. For example, providers should require law firms and document destruction (shredding) companies to sign them. “When you bring a box of paper medical records or computer disks to the shredding company, they are briefly in possession of PHI, even if the material is immediately destroyed,” he said.

Another common HIPAA violation is failure to designate a compliance officer. Every medical office, even a solo practitioner, must designate a compliance officer who undergoes HIPAA training and assumes responsibility for end user education.

To pass a HIPAA audit, intention is not enough. It must be coupled with action. If a provider organization has not yet completed a HIPAA risk analysis, it is better to do it late than to skip it and hope for the best.

Just in case you missed it, HHS announced first HIPAA breach settlement involving less than 500 patients. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”, said OCR Director Leon Rodriguez. http://www.hhs.gov/news/press/2013pres/01/20130102a.html

Boxman

This makes no logical sense; if texting PHI is bad, then talking about it should be considered even worse. After all, both transmissions go over the same cellular network, and are equally vulnerable to being intercepted by evil doers.

I guess this means we should all throw our cellphones away and switch to military-grade encrypted satellite phones for all conversations between medical personnel.